Sunday, February 19, 2017

An Air Force WC-135 Constant Phoenix aircraft, like the one currently deployed to a U.S. base in Great Britian. The jet's arrival last Friday--coupled with a spike in Iodine 131 levels in Europe--has touched off speculation about a possible Russian nuclear test or reactor mishap (USAF photo)

President Tump's next National Security Adviser will have to hit the ground running. Along with the litany of issues already on the plate, the new NSA may also inherit a nuclear incident involving Russia.

And we're not referring to Vladimir Putin's on-going efforts to expand his nation's nuclear arsenal, including the recent cruise missile deployment that violated the INF treaty. According to various media outlets, Moscow deployed the SSC-8 missile system last December, during the waning days of the Obama Administration. While President Obama and his advisers were aware of the deployment, they did not respond, pushing that responsibility off on Mr. Trump and his fledgling national security team.

Iodine-131 (131I),
a radionuclide of anthropogenic origin, has recently been detected in
tiny amounts in the ground-level atmosphere in Europe. The preliminary
report states it was first found during week 2 of January 2017 in
northern Norway. Iodine-131 was also detected in Finland, Poland, Czech
Republic, Germany, France and Spain, until the end of January.

Iodine-131 is a radionuclide with a short half-life (T1/2 = 8.04 day).
The detection of this radionuclide is proof of a rather recent release.

[snip]

It must be pointed out that only particulate iodine was reported. When
detectable, gaseous iodine is usually dominant and can be estimated to
be 3 to 5 times higher than the fraction of particulate iodine.

[snip]

The data has been shared between members of an informal European network called
Ring of Five gathering organizations involved in the
radiological surveillance of the atmosphere. In France, IRSN is
responsible for monitoring the radioactivity of the atmosphere on a
nation-wide scale. Its surveillance network OPERA-Air includes
high-volume aerosol samplers (700 to 900 m3 of air per hour) and measurement equipment capable of detecting trace amounts of radioactivity.

No explanation has been given for the sudden detection of Iodine 131 across Europe. There has been no confirmation of a resumption of nuclear testing by Russia, or reports of a reactor incident in the Arctic region.

But the area was once a key component of Moscow's nuclear research and development effort. During the Soviet era, the Novaya Zemlya archipelago was the site of more than 200 nuclear weapons tests, both above and below ground. In 1961, the Soviets conducted the largest atmospheric nuclear blast in history, the Tsar Bomba test, with an estimated yield of more than 50 megatons. All told, the scores of nuclear blasts conducted at Novaya Zemlya had a collective yield of more than 265 megatons of TNT; for comparison, all detonations during World War II (including the atomic bombs dropped on Hiroshima and Nagasaki) had a combined yield of only two megatons.

The last official nuclear test at Novaya Zemlya occurred almost 30 years ago, but sub-critical experiments, involving only a few grams of weapons-grade plutonium, have been conducted on a yearly basis since the late 1990s. Additionally, some analysts believe there may have been a larger test staged at the site in 1997, based on a small earthquake detected beneath the ocean. The event, which occurred in mid-August of that year, may have been triggered by a small nuclear test, measuring between 100 and 1,000 tons of TNT. Russia has long been interested in perfecting nuclear weapons with very small yields, perhaps for use in penetrating or silo-busting bombs and warheads.

There have also been rumors of renewed activity at Novaya Zemlya in recent months, ahead of the Iodine 131 release. But so far, no linkage has been established between the reported activity and detection of Iodine 131 at monitoring stations across Europe. The Russian Navy's Northern Fleet also maintains an extensive presence in the area, including nuclear-powered surface vessels and submarines stationed at bases on the Kola Peninsula. But there has been no confirmation of any recent mishaps involving those units.

Whatever the source, the spike in Iodine 131 has attracted the attention of the Department of Defense, which dispatched a WC-135 Constant Phoenix "sniffer" aircraft to the U.K. on Friday. Part of the 55th Wing at Offut AFB, Nebraska, Constant Phoenix is equipped to detect radioactive particulate and gases released after a nuclear explosion. There are only two WC-135s in the active inventory (and one of the aircraft is said to be in depot maintenance), making the deployment highly significant, particularly in light of on-going requirements to monitor nuclear activity in North Korea. On occasion, the WC-135 has stopped at RAF Mildenhall before heading to the Far East, but there has been no indication the Phoenix bird that arrived Friday has continued a deployment flight to Asia.

Assuming the operational focus is Russia, the WC-135 will conduct collection flights in the coming days--if they're not already underway. Data gathered by Constant Phoenix will help U.S. policy makers determine the source of the Iodine 131, and formulate a potential response. Particulate iodine would be more consistent with some sort of low-level nuclear detonation, while the gaseous variant is often associated with a reactor mishap. To date, levels of Iodine 131 detected in Europle have been well below those reported after the Chernobyl disaster in the 1980s, or the more recent Fukushima mishap in Japan.

If Russian has resumed low-level nuclear testing--and that's a very big "if" at this point--it will create another contentious issue between Moscow and Washington, landing squarely on the desk of the new NSA. Confirmation of testing, coupled with the afore-mentioned cruise missile deployment, would demand a response from the U.S., while many at the White House favor a more collegial approach. Threading that sort of needle will be Job #1 for Mike Flynn's replacement. To be sure, this incident began unfolding while Barack Obama was still in office, but to no one's surprise, he punted to the incoming administration.

Welcome to the West Wing.

***ADDENDUM***Strategic Sentinel, which covers a variety of military and intelligence topics, reports the WC-135 has not flown since deploying to the U.K.

Tuesday, February 14, 2017

It sounds like something from a second-rate spy novel, or a B-grade gangster film. But it's not the stuff of fiction; it's the story of family rivalry, money, political assassination and North Korea. And it happened in Kuala Lumpur just hours ago.

Kim Jong-nam, half-brother to DPRK dictator Kim Jong-un, died at a hospital in the Malaysian capital, apparently after being poisoned by a pair of female North Korean operatives. More from Reuters:

Malaysian police official Fadzil Ahmat said the cause of Kim's death was not yet known, and that a post mortem would be carried out.

"So far there are no suspects, but we have started investigations and are looking at a few possibilities to get leads," Fadzil told Reuters.

According to Fadzil, Kim had been planning to travel to Macau on Monday when he fell ill at the low-cost terminal of Kuala Lumpur International Airport (KLIA).

"The deceased ... felt like someone grabbed or held his face from behind," Fadzil said. "He felt dizzy, so he asked for help at the ... counter of KLIA."

Kim was taken to an airport clinic where he still felt unwell, and it was decided to take him to hospital. He died in the ambulance on the way to Putrajaya Hospital, Fadzil added.

South Korea's TV Chosun, a cable-TV network, reported that Kim had been poisoned with a needle by two women believed to be North Korean operatives who fled in a taxi and were at large, citing multiple South Korean government sources.

Claims that Kim Jong-nam was poisoned could not be verified by Reuters. A spokesman for the ROK foreign ministry declined comment on the matter and there was no immediate reaction from South Korean intelligence agencies.

But the "hit"--if it can be confirmed--would hardly be surprising. Since taking power after the death of his father in 2011, Kim Jong-un has ordered the execution of more than 40 high-ranking officials and family members, including his uncle, Jang Song Thaek, who was appointed to guide him through the transition process. Some of the executions have been particularly brutal, even by Pyongyang's standards. Two officials were killed with anti-aircraft guns; another was murdered with a mortar.

Despite this bloody history, the assassination of Kim Jong-nam is puzzling. He was something of a black sheep in North Korea's ruling family. The son of one of Kim Jong-il's mistresses, Kim Jong-nam was only briefly viewed as a serious contender for power--and whatever chance he had vaporized in 2001, when he was detained in Japan, after trying to enter the country on a forged passport.

Instead, Kim Jong-nam spent much of his time outside the DPRK, traveling to countries like Malaysia, which allows North Koreans to enter without a visa. He also made periodic excursions to Singapore, Hong Kong, and Macau, home to some of the banks which handle the money of the DPRK's ruling elites. Kim Jong-nam was conspicuously absent from his father's funeral six years ago, and said publicly that he opposed "third generation succession," an obvious reference to his half-brother, the latest member of the Kim dynasty to lead North Korea's oppressive, communist government.

Still, Kim Jong-nam was more of an embarrassment or public relations problem than a threat to North Korean leadership. So, why go to the effort of dispatching an assassination team to Malaysia to bump off the 'ner-do-well half brother? Some analysts believe that Kim Jong-un and "regime loyalists" had him marked for death long ago. But the real answer may lie in Kim Jong-nam's lifestyle, and how that presented a potential threat to the regime.

By North Korean standards, Kim Jong-un's half-brother lived a luxurious lifestyle, with the freedom to travel wherever he chose. And someone had to pick up the tab. That "someone" was the North Korean treasury, run by the current dictator. There are reports that Kim Jong-nam's "allowance" was terminated in 2012, for criticizing its succession policy. He was reportedly kicked out of a luxury hotel in Moscow (another favorite haunt) after running up a $15,000 bill he was unable to pay. Yet, he still lived a nomadic existence, and at least some of his travel and living expenses were still being paid.

Yet, it is also noteworthy that the hit occurred in the economy terminal of the Kuala Lumpur airport, suggesting that Kim Jong-nam wasn't enjoying the jet set style he once lived. And that raises an obvious question: if Kim Jong-il's older son was experiencing cash flow problems, was he exploring a potential solution to those ills, namely a defection? Traditionally, South Korea has payed handsomely for high-ranking political and military defectors from the North. Securing the defection of a member of the ruling family would be an enormous propaganda victory for Seoul--and provide ample reason for Kim Jong-un to dispatch his assassins.

And, for a man long out of favor in Pyongyang, Kim Jong-nam might have something else of value: details on the Kim family fortune and how North Korea's ruling establishment hides their wealth. Such information would be extremely helpful in future sanctions against the DPRK; if senior political officials and military officers couldn't access their money, it would weaken Kim Jong-un's hold on power. A recent diplomatic defector--the former number two diplomat at the North Korean embassy in London--told ROK debriefers that Kim Jong-un's grip is slipping, although there is little outward evidence to support that claim.

Was Kim Jong-nam about to flee to South Korea or the west? We may never know. Available evidence suggests that any contacts between Kim Jong-nam and foreign intelligence services was tentative--if they existed at all. He was apparently traveling alone, with no handlers or protection, allowing DPRK operatives to get close enough to administer a lethal dose of poison.

This much we know: Kim Jong-nam did enough to get himself killed, simply by being a perennial embarrassment to Pyongyang, or engaging in activities deemed far more dangerous by his younger brother. And, an accurate accounting of those "activities"--if it ever comes--may provide a much better picture of North Korea's newest tyrant and what's really going on inside the hermit kingdom. ***ADDENDUM**Updated media coverage has offered a few more details, but those "revelations" must be taken with a large grain of salt. Outlets in South Korea suggest that Kim Jong-un signed off on his half-brother's assassination back in 2011, shortly after taking power. That raises obvious questions as to why the hit took so long. True, Kim Jong-nam traveled a lot, but his whereabouts weren't exactly a state secret. If nothing else, North Korean operatives only had to trail Japanese journalists to find Kim Jong-nam; reporters from various publications in Japan had no trouble locating Kim Jong-il's oldest son, yet the assassination didn't occur until this week.

Other reporting suggests that DPRK operatives "approached" Kim Jong-nam a few days before the hit and invited him to return to Pyongyang, an invitation he declined. Given the number of high-ranking officials executed in recent years, Kim Jong-nam decided to take his chances outside North Korea. His refusal set in motion the long-ordered assassination plot.

One final note: in an interview with a Japanese reporter, Kim Jong-nam said he made his living from "investments." That would affirm that he had access to at least a portion of the Kim family fortune, and had details on how much money there is, where it's invested and how it's spent. That's the kind of information that Kim Jong-nam might have offered to ROK intelligence or a western service, in exchange for asylum, protection and a sizable financial bounty. Obviously, there's no evidence of such contacts (at least not publicly), but something happened in recent weeks that made Kim Jong-nam's elimination a priority. We still believe the answer lies in his financial dealings and the billions plundered by the Kim family.

Monday, February 06, 2017

Amid the hoopla over the Patriots epic Super Bowl comeback and the on-going legal battle over President Trump's executive order on immigration, there was a third story over the weekend, one that deserves much more attention than it's getting.

So far, coverage of this developing scandal appears has belonged largely to the Daily Caller, where investigative reporter Luke Rosiak provided a major update on Saturday. He learned that three Capitol Hill IT staffers--all brothers--have been "relieved from their duties" for allegedly accessing Congressional computer networks without authorization. Previous accounts suggested the three were under investigation only for stealing computer equipment from the various Congressmen who employed them.

Three brothers who managed office information technology for members
of the House Permanent Select Committee on Intelligence and other
lawmakers were abruptly relieved of their duties on suspicion that they
accessed congressional computers without permission.

Brothers Abid, Imran, and Jamal Awan were barred from computer
networks at the House of Representatives Thursday, The Daily Caller News
Foundation Investigative Group has learned.

Three members of the intelligence panel and five members of the House
Committee on Foreign Affairs were among the dozens of members who
employed the suspects on a shared basis. The two committees deal with
many of the nation’s most sensitive issues and documents, including
those related to the war on terrorism.

Also among those whose computer systems may have been compromised is
Rep. Debbie Wasserman Schultz, the Florida Democrat who was previously
the target of a disastrous email hack when she served as chairman of the Democratic National Committee during the 2016 campaign

The brothers are suspected of serious violations, including accessing
members’ computer networks without their knowledge and stealing
equipment from Congress.

All there were "shared staffers," working for multiple Congressional offices which contributed towards their salary and benefits packages. Along with Wasserman-Schulz, Imran Awan also worked for two members of the House Permanent Select Committee on Intelligence (HPSCI), Democratic Representatives Andre Carson of Indiana and Jackie Speier of California.

Jamal Awan handled IT functions for Texas Democrat Jaoquin Castro, who serves on both the intelligence and the House Foreign Affairs committees. He also worked for Louisiana Democrat Cedric Richmond, a member of the Homeland Security Committee. Abid Awan was an IT specialist for Tammy Duckworth of Illinois, who was elected to the Senate in November. He performed similar duties for Florida Congresswoman Lois Frankel, who sits on the Foreign Affairs Committee.

The Daily Caller account differs significantly from a brief item in Politico, which appeared on Thursday. That initial report emphasized the theft element of the allegations, mentioning the illegal access of Congressional systems only in passing. As Mr. Rosiak's report indicates, that latter charge could be far more serious, given the classified material that some of the representatives have access to.

And for that matter, federal officials still haven't revealed which systems were breached. Members of the intelligence committee, for example, are cleared for information to the Top Secret/Sensitive Compartmentalized Information (TS/SCI) level and various special access programs (SAP), which include the crown jewels of American intelligence. Members of the foreign affairs panel are also typically cleared to the TS/SCI level.

That means the Congressmen (and women) who employed the Awan brothers had access to at least three computer networks; the Congressional version of NIPRNET, used for routine, unclassified information; SIPRNET (which handles information up to the Secret level), and JWICS, which is cleared for material at the TS/SCI level.

At this point, we don't know if the three men held security clearances, or the current status of their access to classified information. Media coverage suggests the brothers were among five Hill staffers under investigation since last year; in many cases, the opening of a criminal inquiry is sufficient grounds to suspend a clearance, and with it, access to information stored and transmitted on SIPRNET and JWICS.

As with any other governmental organization, classified material may be accessed or reviewed at only designated places on Capitol Hill. But if the Awan brothers had security clearances--and the ability to access SIPRNET or JWICS accounts assigned to members of Congress--they could review or even copy extraordinarily sensitive information, material that (if revealed or passed to a hostile power), could cause extremely grave damage to national security.

At this point, it must be cautioned that the clearance status of the three men has not been revealed. But, given the committee assignments of the Congressmen they worked for, it would be unusual for the brothers not to have a security clearance (emphasis ours). And, if the brothers had active clearances, they would have access to areas where Congressmen and their staffers review classified material, including Sensitive Compartmentalized Intelligence Facilities (SCIFs) where TS/SCI information is retained. With the user IDs and passwords of Congressional representatives and/or staff members, they could access and even download reams of classified material.

Again, no federal official has stated publicly that the Awan brothers used this technique. But it's a convenient and effective means of gaining access to the nation's secrets. According to The New York Times, investigators looking into the activities of NSA traitor Edward Snowden determined that the system administrator likely used the passwords of colleagues or supervisors to access classified information, and to partly cover his tracks. Snowden also used "web crawler" software to "scrape" information out of NSA archives, following links in classified documents, and copying everything in its path. The insider attack was relatively simple, but devastatingly effective, allowing Snowden to gather vast amounts of intel secrets, which he later shared with Wikileaks and Russian intelligence services.

So far, there is no confirmation that the Capitol Hill IT staffers engaged in similar activities. But with the right clearance, need-to-know and access to the login info for superiors and colleagues, they were in a position to access highly classified information.

Unfortunately, there are a number of unanswered questions about this incident, and it's unclear if more information will be forthcoming. A number of issues related to this investigation strike us as curious, to say the least. Among them:

1) Where is the FBI? Obviously, Congress operates by its own rules, but the unauthorized access of government computer systems is a federal crime, and falls under the bureau's purview. But limited press coverage suggests the investigation is being run by the Capitol Hill police. Perhaps Mr. Rosiak can do a little additional digging and determine what role--if any--if being performed by the bureau.

2) Exactly what systems were accessed? The Daily Caller specifically refers to IT systems, in the plural, based on information provided by the Capitol police and the House Sergeant-at-Arms. In this case does "systems" refer to computers in each members' office (which are linked to the wider, unclassified network), or unclassified and classified systems?

3) How did the Awan brothers gain employment on Capitol Hill? The youngest, Jamal, is only 22 years old and began working in the House when he was only 20. What particular IT skills did the men offer that landed them high-paying jobs working for members of Congress? Records show each of the men had annual salaries of $160,000 each, roughly three times the average IT salary on the Hill.

4) Why did House security managers ignore warning signs about Abid Awan? His car was re-possessed in 2009 and he declared bankruptcy in 2012, facing multiple lawsuits. Recurring financial problems are among the most common reasons for suspending (or terminating) a security clearance, but there are no indications that Mr. Awan lost his clearance--assuming her had one--or access to Congressional IT systems until the investigation began last year.

5) Finally, what is the role of Hina Alvi in all of this? Ms. Alvi is a female House IT staffer who works for many of the representatives that employed that Awan brothers, along with the House Democratic Caucus. She is also their landlord, listed as owner of the Lorton, Virginia home where them men have lived in recent years. Public records indicate there are multiple mortgages on the property. She is also the wife of Imran Awan. Currently, the Capitol Hill IT scandal is barely a blip on the D.C. radar scope. But don't be surprised if it metastasizes into something far beyond a "procurement" matter.

***ADDENDUM***

PJ Media reports that some of the IT staffers under investigation are still working. The reason? As "shared employees," they must be terminated by all members of the House who employ them. Imran Awan and Alvi remained employed by at least one Congressman as of Monday evening, though their access to House IT systems has been blocked.